Schools are at a Greater Risk for Cyber Attacks Than Ever Before – New K-12 Cybersecurity Report
August 2023 by iboss
Cyber threats against K-12 school districts are on the rise, yet only minimal steps are being taken at the local level to safeguard district technology assets and student information, according to a new research report from iboss.
The report, Why A Different Cybersecurity Ecosystem Is Needed Today, details findings from K-12 district, technology, and communications leaders on the cybersecurity challenges they’re facing today. iboss developed the report in partnership with Project Tomorrow, a national education nonprofit dedicated to supporting the effective implementation of research- based learning experiences in K-12 schools.
The report serves as a call to districts to implement a cross-organizational strategy and a new cybersecurity ecosystem to combat the present and future threats to the security of their district technology assets—and, crucially, their students. Additionally, the report encourages districts to incorporate cybersecurity best practices into sustainable new policies and procedures in order to adequately protect district digital assets, including student and staff personal data.
The findings should alarm school district leaders and parents, as cybersecurity incidents in schools can put student information at risk of being stolen, cripple emergency communications systems, and potentially shut down schools entirely. This year saw high profile incidents that impacted Baltimore, Minneapolis and Des Moine school districts among others. The data concludes that:
Districts are acutely aware of the risks: 85% of district technology leaders and 84% of district administrators now agree that our nation’s K-12 schools are a higher risk now for a cyber attack than ever before. And, according to nearly half of district technology leaders (45%), balancing the access to online or digital educational resources with their security concerns about certain products or usage behaviors is a significant challenge.
Little preparation is happening: Only half of district technology leaders report that they have conducted a security audit within their district to identify risks and assess preparation levels for a cyberattack. Additionally, only 37% of technology leaders who said they conducted a security audit say they are dictated by district policy and conducted annually.
A lack of collaboration is partially to blame: Over two-thirds of district technology leaders (67%) say that ownership of cybersecurity within their district rests wholly with the IT Department. Only 32% say that cybersecurity is a shared responsibility across the district leadership team with collective accountability.
Best practices may be the answer: According to nearly half (49%) of district technology leaders, what is needed most urgently today is education on best practices for K-12 cybersecurity. Other consensus calls for cyber threat preparation assessments (42%), buy-in from district leadership (42%), and increased funding for cybersecurity (39%).
Although translating the awareness of cyber threats into actual support on the district level continues to be difficult. However, the district leaders surveyed contributed potential solutions to combat apathy, including continued education about the reality of cyber risks, full and regular risk assessments, and implementing small procedural changes to obtain buy-in and demonstrate successful results.
"With cyber-attacks it’s not a matter of if, but when," said Mark Racine, Chief Information Officer at Boston Public Schools and iboss customer. "It will happen, but the severity and extent of the attack, response, and remediation will show how well-prepared the district is. With our district response plans, everyone is involved and informed. I believe being upfront and honest in the event of an attack should be the general disposition of every district".
"I’ve worked in both the tech and non-profit education sectors and found that enterprises have much greater awareness of cyber risk and are more willing to take action than schools," said Dr. Julie A. Evans, CEO of Project Tomorrow. "This might be because historically, technology departments at schools have had little interaction with other departments. That has to change. IT teams must work cooperatively with administration and other departments to share their knowledge to prevent further breaches and attacks."